Hackers strike again as cross-chain protocol loses $11 million
Hackers have struck again. The Verus-Ethereum Bridge hack, which unfolded on Monday, May 18, drained more than $11 million in digital assets from the cross-chain protocol in what security researchers are calling a forged transfer exploit, and the crypto industry is once again left asking why these vulnerabilities keep being found the hard way.
Blockchain security firms Blockaid, PeckShield, and ExVul linked the exploit to missing validation checks inside the bridge’s verification process. Blockaid’s monitoring systems flagged suspicious activity tied to the bridge, identifying the attacker wallet as beginning with “0x5aBb” and noting that stolen funds were moved into a separate address ending in “C25F9.”
PeckShield confirmed that the attacker drained approximately 103.6 tBTC, 1,625 ETH, and 147,000 USDC from the bridge. The stolen assets were then swapped into 5,402.4 ETH, valued at around $11.4 million, and the funds remain sitting in the wallet address 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9.
The trail of the attacker’s preparation tells a familiar story. Hours before the exploit, PeckShield noted that the attacker’s wallet had received 1 ETH through crypto mixer Tornado Cash, a detail that frequently appears in attacks where perpetrators attempt to obscure transaction origins.
As for what exactly went wrong technically, Blockaid was precise. The firm clarified that the exploit was “not an ECDSA bypass,” “not a notary key compromise,” and “not a parser/hash-binding bug,” attributing the issue instead to “a missing source-amount validation in checkCCEValues”, a flaw they described as one that could reportedly be fixed with around 10 lines of Solidity code. A ten-line fix for an eleven-million-dollar loss.
Security firm GoPlus suggested the exploit may have involved a sophisticated flaw in the bridge’s transaction validation system, with the attacker seemingly sending a low-value transaction to the bridge contract before triggering a function that enabled the batch transfer of reserve assets directly to the drainer wallet.
The Verus-Ethereum Bridge hack does not exist in a vacuum. The incident arrived just three days after THORChain halted trading following a breach of one of its vaults that reportedly drained over $10 million in protocol-owned funds, though THORChain stated user balances were not affected. Before Verus, DeFiLlama data showed 12 DeFi protocols had already been hit in May 2026, with collective losses already topping $20 million for the month.
Zoom out further and the picture is grimmer. Crypto hackers stole more than $168.6 million from 34 DeFi protocols in the first quarter of 2026 alone. April then set the year’s benchmark, with the $292 million Kelp DAO bridge exploit and the reported $280 million Drift Protocol drain making it the worst month on record for cross-chain infrastructure.
The Kelp DAO exploit, in particular, has become a defining reference point. The attacker in that case tricked LayerZero’s cross-chain messaging layer into believing a valid instruction had arrived from another network, triggering the bridge to release 116,500 rsETH to an attacker-controlled address, with the protocol’s emergency pauser multisig only freezing contracts 46 minutes after the drain.
Experts say the pattern is no coincidence. Bridge infrastructure has produced two of the three largest DeFi exploits in 2026, and the failure modes have not meaningfully changed from 2022, attackers are not finding novel vulnerabilities but rather exploiting the same structural weaknesses in cross-chain message verification at an ever-larger scale, because bridge total value locked keeps growing.
As Sergej Kunz, co-founder of 1inch, put it: “Anything that can go wrong will go wrong, and bridge hacks are a perfect example. You see code vulnerabilities, centralization issues, social engineering, even economic attacks. Usually it’s a mix.”
The Verus-Ethereum Bridge hack is a reminder that for all the sophistication of modern blockchain ecosystems, the seams between chains remain among the most dangerous places to park value. Until validation standards improve and emergency pause mechanisms become industry defaults, cross-chain bridges will keep making headlines for the wrong reasons.
